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3,500 Students 
450 Acre Campus 
10k Node Ethernet Network 
900 Network Devices (350 APs) 
500 miles of fiber optic cable 



Cat5, fiber, coax, aethe 



ata-Link - Frames 

Ithernet 
switches and hubs 
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Network - Packets 



P, IPX, Appletalk 
routers, firewalls 



(Ethernet) protocols were written in friendlier, 



Virtually no authentication, data is assumed by client machines 



Must be in the same collision domain 
to exploi 



Most firewalls don't care about L2 attacks 



Most switches will assist in a L2 attack 
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Hard and Crunchy on the Outside 



irewalls 
• VPN / Crypto/ SSL 



S / J! 



Soft and Chewy on the Inside 



Unfirewalled hosts 



'ulnerable interior Services 
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Does a potential attacker have L2 connectivit 



our box? 



m 



co- 



workers), hotels, 
conferences... 



\s ^> 



sr c 



f L2 neighbor 



vulner 






ejsmith@bucknell.edu 



Networks where L3 Boundaries do not necessarily exist 



1F1 Hotsoo 



,^» 



A 



io>. 



OUNKIN* 
OONUTS 



ire 
Interne 
vailable!!! 






V 



■ 



.V 



ejsmith@bucknell.edu 




anning I ree 



Cisco Disco 



Broadcast Flooding 



Putting it all Together 
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Ethernet Address Resolution 



rotocol - RFC 826 



http://www.faqs.org/rfcs/rfc826.ht 



pping of L2 address to a L3 Address 



ays done dynamically... 
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wants to 



Who has 192.168.1.2? 



192.168.1.1/24 
1111.1111.1111 



C:\Fry>arp -a 

Interface: 192.168.1.1 — 0x2 

Internet Address Physical Address 

192.168.1.2 22-22-22-22-22-22 



Type 

dynamic 



, here's my MAC addr 



Leela 

192.168.1.2/24 
2222.2222.2222 



C:\Leela>arp -a 

Interface: 192.168.1.2 — 0x2 

Internet Address Physical Address 

192.168.1.1 11-11-11-11-11-11 
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wants to 



CMP Echo- Request 



192.168.1.1/24 
1111.1111.1111 



CMP Echo-Reply 



Leela 

192.168.1.2/24 
2222.2222.2222 



2222.2222.2222 1111.1111.1111 0800 IP Header 



ayload [I CM 
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the attack 



j j j 



192.168.1.1/24 
1111.1111.1111 



192.168.1.2 is at 
3333.3333.3333 



Leela 

192.168.1.2/24 
2222.2222.2222 



C:\Fry>arp -a 

Interface: 192.168.1.1 — 0x2 

Internet Address Physical Address 

192.168.1.2 33-33-33-33-33-33 



Type 
dynamic 



Zapp 
192.168.1.3/24 
3333.3333.3333 



ejsmith@bucknell.edu 



Anyone have 192.168.1.1? Tell 
192.168.1.1 at 1111.1111.1111 



192.168.1.1/24 
1111.1111.1111 



I have 192.168.1.1 



j\ Windows - System Error 



Leela 

192.168.1.1/24 
2222.2222.2222 



There is an IP address conflict with another system on the 
network 



« 



11:24 PM 
Friday 



IP Configuration 

L92.16fl.LL44 in use by 00:80:10:00:QO:OO r DHCP 
Server 192.168,1,1 



OK 
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cisco.com/warp/pubh 



07/cisco-sa- 200601 12- wireless, shtml 



Cisco 



Bug]. 



12.3(7)1 Al are vulnerable 



Affects most Cisco AP's 



1400 



1200 
1100 



1300 



30AG 
1130AG 
350 



ejsmith@bucknell.edu 



r \ ■ r 



> J Wireless LAN Solution Engine - Mozilla FirefoK 



File Edit View Go Bookmarks Tools Help 



^B}*}\ 



O'L 



§ © 



h' 



3 © Go [jcT 



j email | enc j Library Mt MegaTokyo gg network PayPal ^ PennyArcade * ■ P5ECU f+ Slashdot SquirrelMail - Login ^ VG Cats - Comics WebCal g£ KLN ENC 



Cisco Sums 



Wireless LAN 



Engine 



Wizard | Overview | Help | About | Logout 

Wed Jan 11, 2006 8:52:04| 



Firmware 



Display Faults 



Manage Fault Settings -.- Notification Settings 



adio Mgr 



Admin 



Filter 
Faults 














Apply | 


Products JAN 


jj Severity |AII 


j oldie 


| Active 


__J Name/IP 


Refresh(Sec) |300 















Fault Summary 





Add res 






r 


1 


r 


J 


r 


1 



r 



n 1. 



r en 



Name 



3 AI_3-Zone3-AP3.blootnu.edu 



Famil 



Aironet 



I AL3-Zone2-AP2.bloornu.edu 



2.AL4-Zone2-AP2 



AL4-Zone1-AP1 



Aironet 
Aironet 
Aironet 



3 AL1-Zone3-AP3.bloornu.edu 



I AL2-Zone2-AP2.bloomu.edu 



I AL2-Zone1-AP1.blooniu.edu 



I AL1-Zone1-AP1.bloomu.edu 



3 AL4-Zone3-AP3 



Aironet 



Aironet 



Aironet 



Aironet 



Aironet 



Product 



AP 1210 



AP 1210 



AP 1210 



AP 1210 



0013c32ed8b0 



UnknownlEEE802dot11 



Type 



Device 



AP 1210 Device 



Device 



AP 1210 Device 



Device 



AP 1210 Device 



AP 1210 Device 



AP 1210 Device 



Device 



Unknown Unknown 
AccessPoint Station 



I MCS-rrn1154-B.bloornu.edu 



Aironet 



AP 1210 



Device 



Description 



Device was not reachable via 



SNMP 



Device was not reachable via 
SNMP 

Device was not reachable via 



SNMP 



Device was not reachable via 
SNMP 

Device was not reachable via 



SNMP 



Device was not reachable via 
SNMP 

Device was not reachable via 



SNMP 

Device was not reachable via 
SNMP 

Device was not reachable via 



SNMP 



—r — 



Device state is switchport 
traced rogue access point 

Device was not reachable via 



Severi 



P1 



SNMP. Inconsistent state found P1 



for query "interface. radio. config' 



State 



Active 



Active 



Time-tarn 



08:50:48 
01/11/2006 

08:50:46 
01/11/2006 

08:50:46 
01/11/2006 

08:50:46 
01/11/2006 

08:50:46 
01/11/2006 

08:50:46 
01/11/2006 

08:50:46 
01/11/2006 

08:50:46 
01/11/2006 

08:50:46 
01/11/2006 

14:41:04 
01/10/2006 

1 06:49:28 
107/26/2005 



H 



Done 
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) Stati 



rw k 



Assi 



Pot 



administrative nightmare (for you!) 



cat6k-MSFC# sh run int vlan 123 



interface Vlanl23 
descriotio " 



n 



mac-aaaress 0000.0000.0123 



no arp arpa 
ip address 172. 
end 



123.254 255.255.255.0 



Cat6k-MSFC(config)# arp 172.16.123.1 2716.0570.0000 
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RP assianments 



192.168.1.1/24 
1111.1111.1111 



192.168.1.2 is at 
3333.3333.3333 



Leela 

192.168.1.2/24 
2222.2222.2222 



C:\Fry>arp -s 192.168.1.2 22-22-22-22-22-22 

Interface: 192.168.1.1 — 0x2 

Internet Address Physical Address 

192.168.1.2 22-22-22-22-22-22 



Type 

static 



Zapp 

192.168.1.3/24 
3333.3333.3333 
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MzlL). 



umerous VLANs; difficult to scale 



cat6k-MSFC# sh run int vlan 1000 



interface Vlanl000 
description 0uake4 Server 



lp aaaress 192.168.1.2 255 
end 



.255.255.252 



192.168.1.2/30 



192.168.1.6/30 



Server 1 

192.168.1.1/30 



Server 2 

192.168.1.5/30 
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192.168.1.10/30 



Server 3 

192.168.1.9/30 



r-1 r-J 



/VP 



r 1 



ccept L2 as weak and encrypt at higher levels 



802.1 



i. 



Never allow client machines to share VLAN space with your 
' "rastructure equipment's management interfaces! 



;]' 



LM 



6) D 



in 



n (via 



J". 



Snooping Table) 






7) Arpwatch (ww 



n 



g. ee.lbl.gov) 



** Remember: 802. lx does not help! *** 
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anning I ree 



Cisco Disco 



Broadcast Flooding 



Putting it all Together 
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192.168.1.1/24 
1111.1111.1111 




FaO/1 



3550>sh mac -address -table dynamic 

Mac Address Table 



FaO/2 



Leela 

192.168.1.2/24 
2222.2222.2222 



Mac Address 



1111.1111.1111 

2222.2222.2222 



Type 



DYNAMIC 
DYNAMIC 



Ports 



FaO/l 
FaO/2 
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192.168.1.1/24 
1111.1111.1111 




FaO/1 



FaO/2 



FaO/3 



3550>sh mac -address -table dynamic 

Mac Address Table 



Leela 

192.168.1.2/24 
2222.2222.2222 



Vlan 



Mac Address 



1111.1111.1111 

2222.2222.2222 



Type 



DYNAMIC 
DYNAMIC 



Ports 



FaO/l 
FaO/2 




%RTD-1-ADDR_FLAP: FastEthernetO/2 relearning 51 addrs 
per min 



Zapp 

Spoofing 
2222.2222.2222 
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1/1/ 



J. 



M 



1) Port Secu 




: Dynamic or Static 



interface FastEthernet0/l 



switchport 
switchport 
switchport 
switchoort 



mode access 



port 
port 
oort 



security 
security 
security 



1st floor conference room 



maximum 1 



interface FastEthernet0/2 
desc 144B1 - Laser printer 
switchport mode access 
switchoort oort-securitv 



near public entrance 



switchport 
switchport 



switchport 
end 



port- 
port- 
port- 



security 
security 
security 



maximum 1 
violation { 
mac-address 



restrict 



shutdown 



2716.0570.0000 
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2) Static MAC Address Assignments 



w 



ac-address-table static interface faO/ 
Mac Address Table 



Vlan 



Mac Address 



Ports 



0000.0000.0001 STATIC Fa0/1 
Total Mac Addresses for this criterion: 1 
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anning I ree 



Cisco Disco 



Broadcast Flooding 



Putting it all Together 
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L2 red 



3JJ. 



? Don't Use ST 



I 



1-4094 






: j r 



STP oer int 



;j 



interface fa0/ 
desc access oort 



spanning-tree bpdufilter enable 
spanning-tree bpduguard enable 
end 



3) Use 



ard 



topology changes 



interface fa0/L 
desc access port 
spanning-tree guard root 
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anning I ree 



Cisco Disco 



Broadcast Flooding 



Putting it all Together 
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scover 



otocol 



isco devices to discover 



neighbors 



utoconfigurations ( 



phones) 



evices store neiahbor information (device name 



apabihties, etc) 
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Cisco Discovery Protocol 



Cat6K> (enable) sh cdp neighbors 

* - indicates vlan mismatch. 

# - indicates duplex mismatch. 
Port Device-ID 



Port-ID 



Platform 



2/1 
2/2 
2/3 
2/4 



Engineering_3550_lST 
Engineering_3550_2ND 
Engineering_3550_3RD 
Engineering_3550_4TH 



Gigabit Ethernet0/1 
Gigabit Ethernet0/1 
Gigabit Ethernet0/1 
Gigabit Ethernet0/1 



WS-C3550 
WS-C3550 
WS-C3550 
WS-C3550 
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r 



Cat6k> (enable) sh cdp neighbors 2/11 detail 

Port (Our Port): 2/11 

Device- ID: Engineering_Labs_3550 

Device Addresses: 

IP Address: 172.16.4.24 
Holdtime: 156 sec 
Capabilities: SWITCH IGMP 
Version: 

Cisco Internetwork Operating System Software 

IOS (tm) C3550 Software (C3550-I9Q3L2-M), Version 12.1(20)EAla, 
(fcl) 

Copyright (c) 1986-2004 by cisco Systems, Inc. 

Compiled Mon 19 -Apr -04 21:42 by yenanh 
Platform: Cisco WS-C3550-24-PWR 

Port-ID (Port on Neighbors' s Device): GigabitEthernetO/1 
VTP Management Domain: DistOl 
Native VLAN: unknown 
Duplex: full 
System Name: unknown 
System Object ID: unknown 
Management Addresses: 

IP Address: 172.16.4.24 
Physical Location: unknown 



RELEASE SOFTWARE 
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More L2 Information Leakage 



Cisco Environment 
Model Number 
I OS Version 
Management I P Address 



ative VLA 
Partial network topology 
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Countermeasures 






r 



D 



sable CDP per port 



ernet 



esc access port 
no cdp enable 
end 
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anning I ree 



Cisco Disco 



Broadcast Flooding 



Putting it all Together 
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I OS Defaults encourage Dynamic Trunks 



# sh run int faO/24 



interface FastEthernetO/24 
description default port setting on 3550 
switchport mode dynamic desirable 

end 



IOS 12.2.25 



# sh int tru 



Port 
FaO/24 



Mode 
desirable 



Encapsulation Status 
n-isl trunking 



Native vlan 



# sh dtp int faO/24 



3550_l_15#sh dtp int faO/24 
DTP information for FastEthernetO/24 
TOS/TAS/TNS : 



TRUNK/DESIRABLE/TRUNK 
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Dvnamic Trunkina Protocol 



r 



Router ACL: 



Deny All Traffic from 

VLAN 300 to VLAN 200 

Permit TCP Port 80,443 from 

VLAN 300 to VLAN 100 

Permit All Traffic from 
VLAN 300 to Outside Net 



VLAN 300 
Guests 



VLAN 100 
Public Servers 



VLAN 200 
Private Servers 
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Dvnamic Trunkina Protocol 



r 



Router ACL: 



Deny All Traffic from 

VLAN 300 to VLAN 200 

Permit TCP Port 80,443 from 

VLAN 300 to VLAN 100 

Permit All Traffic from 
VLAN 300 to Outside Net 



VLANS 
1, 100, 200, 



VLAN 100 
Public Servers 



VLAN 200 
Private Servers 
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Countermeasures 



DJ5Z. 



r 



interface fa0/24 



dssc; nan -I run Kin 



m 



switchport access vlan 300 
switchport mode access 
end 



Sensitive VLANs on Dynamic Trunks 



interface FastEthernet0/24 
desc allow trunking of specified vlans only 
switchport trunk allowed vlan 200,300 



u 
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anning I ree 
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fss. 



:ro 



j _ 



I 



(config-if)# storm-control unicast level pps 100 50 
fr.nnf ig-if )# storm-control multicast level pps 100 50 



:j 



r 



Si. 



1. 



11 £J V. 



Rati 



(config-if ) 



-if)# storm-control broadcast level 1 0.5 
-i-n# ^torm-control unicast level 50 40 



m-contro 



■ 



SK 
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anning I ree 



Cisco Disco 



Broadcast Flooding 
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£J 



f 




interface FastEthernetO/12 



description Somewhat more secure access 
switchport mode access 
switchoort access vlan 100 



switchport port-security 



switchport port-security maximum 
switchport port-security violation rest 
storm-control broadcast level 1.00 0.50 



ort 



storm-control multicast level 1.00 0.50 
storm-control unicast level 50.00 40.00 
no cdp enable 
spanning-tree bpduguard 
spanning-tree guard root 



no keepalive 
end 



able 
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r 



urr 



ncide 



ons 
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OPI N 



From: 

kntHI.edu 



.bur 



roaricast Storm) 
Broadcast Storm detected 
on 10.160 FaO/7 (Ignore 
(S)hutriown (O)uarantiue? 

Sat, Jan 14. 9:17 am 



Ak. 



w. 



Wireless Killbo 



utomatic Search-and 



N etwo r 
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Networ k Security Architectures , Sean Convery 
Cisco IPS Switch Security Configuration Guide, NSA 
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www.phenoeht.de/irpas 
rude.sourceforge.net 



Darren Cromer & Cisco PSIRT Team 
Jeremv Powlus. Evil Graphics Overlord 



hicus 



Bill Barnes, PSKL / Bloomsburg University 

Del Bruno, PSKL 
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